diff options
| author | brian <brian@FreeBSD.org> | 2004-11-29 17:11:15 +0000 |
|---|---|---|
| committer | brian <brian@FreeBSD.org> | 2004-11-29 17:11:15 +0000 |
| commit | 5cb50742628dc40e5c863bf0359d9eb6bf149538 (patch) | |
| tree | 3671250bedfb9a3ce78a425c8c972746dddfb609 | |
| parent | 6800033a3cbeeb6d335f0b76563d55e79a996fe1 (diff) | |
| download | FreeBSD-src-5cb50742628dc40e5c863bf0359d9eb6bf149538.zip FreeBSD-src-5cb50742628dc40e5c863bf0359d9eb6bf149538.tar.gz | |
Send NAS-IP-Address as well as NAS-Identifier
Add ``disable NAS-IP-Address'' and ``disable NAS-Identifier'' options to
support pre-rfc2865 RADIUS servers.
This pushes our enable/disable items over the 32 bit limit, so reoganise
things to allow a bunch more options.
Go to version 3.4.1 so that any compatability problems can be identified.
| -rw-r--r-- | usr.sbin/ppp/bundle.c | 21 | ||||
| -rw-r--r-- | usr.sbin/ppp/bundle.h | 53 | ||||
| -rw-r--r-- | usr.sbin/ppp/command.c | 38 | ||||
| -rw-r--r-- | usr.sbin/ppp/main.c | 2 | ||||
| -rw-r--r-- | usr.sbin/ppp/ppp.8.m4 | 43 | ||||
| -rw-r--r-- | usr.sbin/ppp/radius.c | 20 |
6 files changed, 120 insertions, 57 deletions
diff --git a/usr.sbin/ppp/bundle.c b/usr.sbin/ppp/bundle.c index ebf4f07..912f855 100644 --- a/usr.sbin/ppp/bundle.c +++ b/usr.sbin/ppp/bundle.c @@ -829,12 +829,15 @@ bundle_Create(const char *prefix, int type, int unit) bundle.cfg.idle.min_timeout = 0; *bundle.cfg.auth.name = '\0'; *bundle.cfg.auth.key = '\0'; - bundle.cfg.opt = OPT_IDCHECK | OPT_LOOPBACK | OPT_SROUTES | OPT_TCPMSSFIXUP | - OPT_THROUGHPUT | OPT_UTMP; + bundle.cfg.optmask = (1ull << OPT_IDCHECK) | (1ull << OPT_LOOPBACK) | + (1ull << OPT_SROUTES) | (1ull << OPT_TCPMSSFIXUP) | + (1ull << OPT_THROUGHPUT) | (1ull << OPT_UTMP) | + (1ull << OPT_NAS_IP_ADDRESS) | + (1ull << OPT_NAS_IDENTIFIER); #ifndef NOINET6 - bundle.cfg.opt |= OPT_IPCP; + opt_enable(&bundle, OPT_IPCP); if (probe.ipv6_available) - bundle.cfg.opt |= OPT_IPV6CP; + opt_enable(&bundle, OPT_IPV6CP); #endif *bundle.cfg.label = '\0'; bundle.cfg.ifqueue = DEF_IFQUEUE; @@ -870,7 +873,7 @@ bundle_Create(const char *prefix, int type, int unit) bundle.filter.alive.name = "ALIVE"; bundle.filter.alive.logok = 1; { - int i; + int i; for (i = 0; i < MAXFILTERS; i++) { bundle.filter.in.rule[i].f_action = A_NONE; bundle.filter.out.rule[i].f_action = A_NONE; @@ -1050,9 +1053,9 @@ bundle_ShowLinks(struct cmdargs const *arg) } static const char * -optval(struct bundle *bundle, int bit) +optval(struct bundle *bundle, int opt) { - return (bundle->cfg.opt & bit) ? "enabled" : "disabled"; + return Enabled(bundle, opt) ? "enabled" : "disabled"; } int @@ -1142,6 +1145,10 @@ bundle_ShowStatus(struct cmdargs const *arg) optval(arg->bundle, OPT_THROUGHPUT)); prompt_Printf(arg->prompt, " Utmp Logging: %s\n", optval(arg->bundle, OPT_UTMP)); + prompt_Printf(arg->prompt, " NAS-IP-Address: %-20.20s", + optval(arg->bundle, OPT_NAS_IP_ADDRESS)); + prompt_Printf(arg->prompt, " NAS-Identifier: %s\n", + optval(arg->bundle, OPT_NAS_IDENTIFIER)); return 0; } diff --git a/usr.sbin/ppp/bundle.h b/usr.sbin/ppp/bundle.h index f34e9bf..e2f9e7f 100644 --- a/usr.sbin/ppp/bundle.h +++ b/usr.sbin/ppp/bundle.h @@ -33,27 +33,32 @@ #define PHASE_TERMINATE 4 /* Terminating link */ /* cfg.opt bit settings */ -#define OPT_FILTERDECAP 0x0001 -#define OPT_FORCE_SCRIPTS 0x0002 /* force chat scripts */ -#define OPT_IDCHECK 0x0004 -#define OPT_IFACEALIAS 0x0008 +#define OPT_FILTERDECAP 1 +#define OPT_FORCE_SCRIPTS 2 /* force chat scripts */ +#define OPT_IDCHECK 3 +#define OPT_IFACEALIAS 4 #ifndef NOINET6 -#define OPT_IPCP 0x0010 -#define OPT_IPV6CP 0x0020 +#define OPT_IPCP 5 +#define OPT_IPV6CP 6 #endif -#define OPT_KEEPSESSION 0x0040 -#define OPT_LOOPBACK 0x0080 -#define OPT_PASSWDAUTH 0x0100 -#define OPT_PROXY 0x0200 -#define OPT_PROXYALL 0x0400 -#define OPT_SROUTES 0x0800 -#define OPT_TCPMSSFIXUP 0x1000 -#define OPT_THROUGHPUT 0x2000 -#define OPT_UTMP 0x4000 +#define OPT_KEEPSESSION 7 +#define OPT_LOOPBACK 8 +#define OPT_NAS_IP_ADDRESS 9 +#define OPT_NAS_IDENTIFIER 10 +#define OPT_PASSWDAUTH 11 +#define OPT_PROXY 12 +#define OPT_PROXYALL 13 +#define OPT_SROUTES 14 +#define OPT_TCPMSSFIXUP 15 +#define OPT_THROUGHPUT 16 +#define OPT_UTMP 17 +#define OPT_MAX 17 #define MAX_ENDDISC_CLASS 5 -#define Enabled(b, o) ((b)->cfg.opt & (o)) +#define Enabled(b, o) ((b)->cfg.optmask & (1ull << (o))) +#define opt_enable(b, o) ((b)->cfg.optmask |= (1ull << (o))) +#define opt_disable(b, o) ((b)->cfg.optmask &= ~(1ull << (o))) /* AutoAdjust() values */ #define AUTO_UP 1 @@ -98,19 +103,19 @@ struct bundle { struct { struct { - unsigned timeout; /* NCP Idle timeout value */ - unsigned min_timeout; /* Don't idle out before this */ + unsigned timeout; /* NCP Idle timeout value */ + unsigned min_timeout; /* Don't idle out before this */ } idle; struct { - char name[AUTHLEN]; /* PAP/CHAP system name */ - char key[AUTHLEN]; /* PAP/CHAP key */ + char name[AUTHLEN]; /* PAP/CHAP system name */ + char key[AUTHLEN]; /* PAP/CHAP key */ } auth; - unsigned opt; /* Uses OPT_ bits from above */ - char label[50]; /* last thing `load'ed */ - u_short ifqueue; /* Interface queue size */ + unsigned long long optmask; /* Uses OPT_ bits from above */ + char label[50]; /* last thing `load'ed */ + u_short ifqueue; /* Interface queue size */ struct { - unsigned timeout; /* How long to leave the output queue choked */ + unsigned timeout; /* How long to leave the output queue choked */ } choked; } cfg; diff --git a/usr.sbin/ppp/command.c b/usr.sbin/ppp/command.c index 7f30097..acd1075 100644 --- a/usr.sbin/ppp/command.c +++ b/usr.sbin/ppp/command.c @@ -167,7 +167,7 @@ #define NEG_MPPE 54 #define NEG_CHAP81 55 -const char Version[] = "3.4"; +const char Version[] = "3.4.1"; static int ShowCommand(struct cmdargs const *); static int TerminalCommand(struct cmdargs const *); @@ -2612,7 +2612,7 @@ NatEnable(struct cmdargs const *arg) return 0; } else if (strcasecmp(arg->argv[arg->argn], "no") == 0) { arg->bundle->NatEnabled = 0; - arg->bundle->cfg.opt &= ~OPT_IFACEALIAS; + opt_disable(arg->bundle, OPT_IFACEALIAS); /* Don't iface_Clear() - there may be manually configured addresses */ return 0; } @@ -2757,24 +2757,32 @@ ident_cmd(const char *cmd, unsigned *keep, unsigned *add) static int OptSet(struct cmdargs const *arg) { - int bit = (int)(long)arg->cmd->args; - unsigned keep; /* Keep these bits */ - unsigned add; /* Add these bits */ + int opt = (int)(long)arg->cmd->args; + unsigned keep; /* Keep this opt */ + unsigned add; /* Add this opt */ if (ident_cmd(arg->argv[arg->argn - 2], &keep, &add) == NULL) return 1; #ifndef NOINET6 - if (add == NEG_ENABLED && bit == OPT_IPV6CP && !probe.ipv6_available) { + if (add == NEG_ENABLED && opt == OPT_IPV6CP && !probe.ipv6_available) { log_Printf(LogWARN, "IPv6 is not available on this machine\n"); return 1; } #endif + if (!add && ((opt == OPT_NAS_IP_ADDRESS && + !Enabled(arg->bundle, OPT_NAS_IDENTIFIER)) || + (opt == OPT_NAS_IDENTIFIER && + !Enabled(arg->bundle, OPT_NAS_IP_ADDRESS)))) { + log_Printf(LogWARN, + "Cannot disable both NAS-IP-Address and NAS-Identifier\n"); + return 1; + } if (add) - arg->bundle->cfg.opt |= bit; + opt_enable(arg->bundle, opt); else - arg->bundle->cfg.opt &= ~bit; + opt_disable(arg->bundle, opt); return 0; } @@ -2782,12 +2790,12 @@ OptSet(struct cmdargs const *arg) static int IfaceAliasOptSet(struct cmdargs const *arg) { - unsigned save = arg->bundle->cfg.opt; + unsigned long long save = arg->bundle->cfg.optmask; int result = OptSet(arg); if (result == 0) if (Enabled(arg->bundle, OPT_IFACEALIAS) && !arg->bundle->NatEnabled) { - arg->bundle->cfg.opt = save; + arg->bundle->cfg.optmask = save; log_Printf(LogWARN, "Cannot enable iface-alias without NAT\n"); result = 2; } @@ -2928,6 +2936,10 @@ static struct cmdtab const NegotiateCommands[] = { "disable|enable", (const void *)OPT_KEEPSESSION}, {"loopback", NULL, OptSet, LOCAL_AUTH, "Loop packets for local iface", "disable|enable", (const void *)OPT_LOOPBACK}, + {"nas-ip-address", NULL, OptSet, LOCAL_AUTH, "Send NAS-IP-Address to RADIUS", + "disable|enable", (const void *)OPT_NAS_IP_ADDRESS}, + {"nas-identifier", NULL, OptSet, LOCAL_AUTH, "Send NAS-Identifier to RADIUS", + "disable|enable", (const void *)OPT_NAS_IDENTIFIER}, {"passwdauth", NULL, OptSet, LOCAL_AUTH, "Use passwd file", "disable|enable", (const void *)OPT_PASSWDAUTH}, {"proxy", NULL, OptSet, LOCAL_AUTH, "Create a proxy ARP entry", @@ -2944,9 +2956,9 @@ static struct cmdtab const NegotiateCommands[] = { "disable|enable", (const void *)OPT_UTMP}, #ifndef NOINET6 -#define OPT_MAX 14 /* accept/deny allowed below and not above */ +#define NEG_OPT_MAX 16 /* accept/deny allowed below and not above */ #else -#define OPT_MAX 12 +#define NEG_OPT_MAX 14 #endif {"acfcomp", NULL, NegotiateSet, LOCAL_AUTH | LOCAL_CX, @@ -3018,7 +3030,7 @@ NegotiateCommand(struct cmdargs const *arg) for (n = arg->argn; n < arg->argc; n++) { argv[1] = arg->argv[n]; FindExec(arg->bundle, NegotiateCommands + (keep == NEG_HISMASK ? - 0 : OPT_MAX), 2, 1, argv, arg->prompt, arg->cx); + 0 : NEG_OPT_MAX), 2, 1, argv, arg->prompt, arg->cx); } } else if (arg->prompt) prompt_Printf(arg->prompt, "Use `%s ?' to get a list.\n", diff --git a/usr.sbin/ppp/main.c b/usr.sbin/ppp/main.c index 6f68b7f..097de79 100644 --- a/usr.sbin/ppp/main.c +++ b/usr.sbin/ppp/main.c @@ -393,7 +393,7 @@ main(int argc, char **argv) SignalBundle = bundle; bundle->NatEnabled = sw.nat; if (sw.nat) - bundle->cfg.opt |= OPT_IFACEALIAS; + opt_enable(bundle, OPT_IFACEALIAS); if (system_Select(bundle, "default", CONFFILE, prompt, NULL) < 0) prompt_Printf(prompt, "Warning: No default entry found in config file.\n"); diff --git a/usr.sbin/ppp/ppp.8.m4 b/usr.sbin/ppp/ppp.8.m4 index 8100ae9..26738ce 100644 --- a/usr.sbin/ppp/ppp.8.m4 +++ b/usr.sbin/ppp/ppp.8.m4 @@ -3067,6 +3067,49 @@ the other end. It is convenient to have this option enabled when the interface is also the default route as it avoids the necessity of a loopback route. +.It NAS-IP-Address +Default: Enabled. +This option controls whether +.Nm +sends the +.Dq NAS-IP-Address +attribute to the RADIUS server when RADIUS is in use +.Pq see Dq set radius . +.Pp +Note, at least one of +.Dq NAS-IP-Address +and +.Dq NAS-Identifier +must be enabled. +.Pp +Versions of +.Nm +prior to version 3.4.1 did not send the +.Dq NAS-IP-Address +atribute as it was reported to break the Radiator RADIUS server. +As the latest rfc (2865) no longer hints that only one of +.Dq NAS-IP-Address +and +.Dq NAS-Identifier +should be sent (as rfc 2138 did), +.Nm +now sends both and leaves it up to the administrator that chooses to use +bad RADIUS implementations to +.Dq disable NAS-IP-Address . +.It NAS-Identifier +Default: Enabled. +This option controls whether +.Nm +sends the +.Dq NAS-Identifier +attribute to the RADIUS server when RADIUS is in use +.Pq see Dq set radius . +.Pp +Note, at least one of +.Dq NAS-IP-Address +and +.Dq NAS-Identifier +must be enabled. .It passwdauth Default: Disabled. Enabling this option will tell the PAP authentication diff --git a/usr.sbin/ppp/radius.c b/usr.sbin/ppp/radius.c index 18ba57d..03d4555 100644 --- a/usr.sbin/ppp/radius.c +++ b/usr.sbin/ppp/radius.c @@ -856,10 +856,8 @@ radius_Authenticate(struct radius *r, struct authinfo *authp, const char *name, const char *what = "questionable"; /* silence warnings! */ char *mac_addr; int got; -#if 0 struct hostent *hp; struct in_addr hostaddr; -#endif #ifndef NODES struct mschap_response msresp; struct mschap2_response msresp2; @@ -981,8 +979,8 @@ radius_Authenticate(struct radius *r, struct authinfo *authp, const char *name, if (gethostname(hostname, sizeof hostname) != 0) log_Printf(LogERROR, "rad_put: gethostname(): %s\n", strerror(errno)); else { -#if 0 - if ((hp = gethostbyname(hostname)) != NULL) { + if (Enabled(authp->physical->dl->bundle, OPT_NAS_IP_ADDRESS) && + (hp = gethostbyname(hostname)) != NULL) { hostaddr.s_addr = *(u_long *)hp->h_addr; if (rad_put_addr(r->cx.rad, RAD_NAS_IP_ADDRESS, hostaddr) != 0) { log_Printf(LogERROR, "rad_put: rad_put_string: %s\n", @@ -991,8 +989,8 @@ radius_Authenticate(struct radius *r, struct authinfo *authp, const char *name, return 0; } } -#endif - if (rad_put_string(r->cx.rad, RAD_NAS_IDENTIFIER, hostname) != 0) { + if (Enabled(authp->physical->dl->bundle, OPT_NAS_IDENTIFIER) && + rad_put_string(r->cx.rad, RAD_NAS_IDENTIFIER, hostname) != 0) { log_Printf(LogERROR, "rad_put: rad_put_string: %s\n", rad_strerror(r->cx.rad)); rad_close(r->cx.rad); @@ -1059,10 +1057,8 @@ radius_Account(struct radius *r, struct radacct *ac, struct datalink *dl, int got; char hostname[MAXHOSTNAMELEN]; char *mac_addr; -#if 0 struct hostent *hp; struct in_addr hostaddr; -#endif if (!*r->cfg.file) return; @@ -1168,8 +1164,8 @@ radius_Account(struct radius *r, struct radacct *ac, struct datalink *dl, if (gethostname(hostname, sizeof hostname) != 0) log_Printf(LogERROR, "rad_put: gethostname(): %s\n", strerror(errno)); else { -#if 0 - if ((hp = gethostbyname(hostname)) != NULL) { + if (Enabled(dl->bundle, OPT_NAS_IP_ADDRESS) && + (hp = gethostbyname(hostname)) != NULL) { hostaddr.s_addr = *(u_long *)hp->h_addr; if (rad_put_addr(r->cx.rad, RAD_NAS_IP_ADDRESS, hostaddr) != 0) { log_Printf(LogERROR, "rad_put: rad_put_string: %s\n", @@ -1178,8 +1174,8 @@ radius_Account(struct radius *r, struct radacct *ac, struct datalink *dl, return; } } -#endif - if (rad_put_string(r->cx.rad, RAD_NAS_IDENTIFIER, hostname) != 0) { + if (Enabled(dl->bundle, OPT_NAS_IDENTIFIER) && + rad_put_string(r->cx.rad, RAD_NAS_IDENTIFIER, hostname) != 0) { log_Printf(LogERROR, "rad_put: rad_put_string: %s\n", rad_strerror(r->cx.rad)); rad_close(r->cx.rad); |
